Environment

Situation

User is not able to change the password more than once in a day in SSPR.

In the "change password" screen, accessed directly from the SSPR main menu, trying to change the password more than once a day loops the user back to the SSPR change password screen without changing the password. LDAP error 19 (constraint violation) shows in the error log.

Resolution

While testing, set the "Minimum Password Age" to 0. Change it back when testing is finished.

Cause

By default, the Active Directory password policy sets "Minimum password age" to one day. This means that a user must use a password for one day before changing it.

Additional Information

Setting the "Minimum Password Age" to 0 will allow changing the password multiple times in succession. But be sure to change it to something other than 0 when testing is finished if you want to enable the password history restriction in the AD policy. Microsoft discourages setting "Minimum Password Age" to 0, pointing out that doing so somewhat negates the value of the password history list. See http://technet.microsoft.com/en-us/library/cc779758%28v=ws.10%29.aspx

Disclaimer

This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.